The Desktop Services Store (DS_Store) as you probably already know, is a file that stores some metadata about the files in a directory in the OS X. I’ve taken a look at them, they seem pretty harmless, but in the realm of PCI Compliance they are a medium risk because they can reveal the directory structure (which could very well be innocuous depending on the site). Like most of the PCI Compliancy challenges I’ve faced, it’s a pretty simple fix:

Apache

<Files "^\.">
    Order deny,allow
    Deny from all
</Files>

Nginx

location ~ /\.
{
    deny all;
}

Note, the above examples will deny access to all hidden files (.htaccess, .DS_Store, et cetera)